On Mon, Sep 25, 2023 at 09:30:43PM +0800, Philip Paeps wrote:
> From: Philip Paeps <phi...@FreeBSD.org>
>
> When prepending our options to a key, check if the key already has any
> options. In this case put a comma after the end of our options instead
> of a space.
First, consider that ssh-authkeys, like a lot of non-core
gitolite, can be overridden by any installation:
- set LOCAL_CODE in ~/.gitolite.rc on the server to, say,
$ENV{HOME}/local
- add/edit ~/local/triggers/post-compile/ssh-authkeys and it
will override the shipped ssh-authkeys file.
I know that raises the concern that upstream may change in some
manner at some point in future, and that will need to be rolled
in to the local-code version, but ssh-authkeys is unlikely to
have significant functionality enhancements in its limited role.
But if you *really* need this, it's best to whitelist the
options allowed. I am not comfortable allowing a user to
specify anything he wants in that line, unchecked.
I just added a key with this option
port-forwarding,permitopen="
127.0.0.1:22"
in it and it overrode the no-port-forwarding in the default auth
options gitolite sets up.
sitaram
>
> To differentiate between keys with and without options, we check if they
> start with (ecdsa|(sk-)?ssh)-. This supports all keys supported by
> OpenSSH at the time of this commit. If a different algorithm is
> introduced to OpenSSH in future, this regular expression should be
> updated. Adding a full key parser to this subroutine would be overkill.
>
> Submitted by: Gleb Smirnoff <gle...@FreeBSD.org>
> ---
> src/triggers/post-compile/ssh-authkeys | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/src/triggers/post-compile/ssh-authkeys b/src/triggers/post-compile/ssh-authkeys
> index cd59aec..c4cb39b 100755
> --- a/src/triggers/post-compile/ssh-authkeys
> +++ b/src/triggers/post-compile/ssh-authkeys
> @@ -137,6 +137,7 @@ sub optionise {
> return '';
> }
> chomp(@line);
> - return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options $line[0]";
> + return "command=\"$glshell $user" . ( $kfn ? " $f" : "" ) . "\",$auth_options" .
> + ($line[0] =~ /^(ecdsa|(sk-)?ssh)-/ ? " " : "," ) . $line[0];
> }
>
> --
> 2.39.3 (Apple Git-145)
>
> --
> You received this message because you are subscribed to the Google Groups "gitolite" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
gitolite+u...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/gitolite/20230925133043.61343-2-philip%40trouble.is.